Home / malwarePDF  

Backdoor.Suckfly


First posted on 29 December 2015.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Suckfly.

Explanation :

When this Trojan is executed, it creates a copy of itself as the following: %System%\SPmsamger.dll
The Trojan may drop the following components which are used to enable SSL encryption for the back door: %Temp%\ssleay32.dll%Temp%\libeay32.dll
Next, the Trojan creates the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\"msamger" = "msamger"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msamger\"Description" = "Support Security Accounts Manager For Microsoft Windows. If this service is stopped, any services that depended on it will fail to start."HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msamger\"DisplayName" = "Microsoft Security Accounts Manager"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msamger\"ImagePath" = "%SystemDrive%\System\svchost.exe -k msamger"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msamger\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msamger\"Type" = "20"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msamger\Parameters\"ServiceDll" = "%System%\SPmsamger.dll"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msamger\Parameters\"ServiceMain" = "DllRegistryEntry"
The Trojan then tries to connect to the following remote location: ssl.microsoft-security-center.com
The Trojan checks if the remote location points to the following IP address. If this is the case, then it will not execute: 127.0.0.1
The Trojan may then perform the following actions: Inject code into other processes to hide its infection routineCreate a new service named msamger (Microsoft Security Accounts Manager)Download and execute filesWrite data to a file

Last update 29 December 2015

 

TOP